FortiGuard Threat Intelligence Roundup

For those of you who don’t know, Fortinet publishes a threat intelligence roundup every Friday, the Fortinet Threat Intelligence Brief, that reviews new threats and trends. It is a treasure trove of analysis and information that ought to be part of your regimen every Friday. This week is no exception.

Here are a couple of teasers and takeaways:

1. Ransomware isn’t going away any time soon. Every time organizations think they have a handle on this, ransomware developers come up with a new variant designed to evade detection. Nemucod is a malware Trojan tool that is often used to drop a variety of ransomware variants, such as Locky, Teslacrypt, and .CRYPTED. After a couple of weeks of reduced activity (perhaps either the developers or targets were on summer vacation), its activity has spiked, taking two of the top three spots on our malware tracking list.

One interesting development is that this week our FortiGuard Labs team started detecting and tracking a new Visual Basic Script (VBS)-based Nemucod malware, called VBS/Nemucod.ASB!tr.dldr. It’s a classic example of how security teams need to be extra vigilant, because criminals are always looking for a way to sneak in that you haven’t considered yet.

We have also discovered several new variants of CryptXXX Ransomware, which is now manifesting itself in executables as well.

Clearly, there is still plenty of money to be extorted from victims. And as we discussed in our recent 2016 Security Predictions update, we have now begun to observe the ransoming of IoT devices. This allows ransom-based attacks to expand beyond traditional targets, such as hospitals and police stations, to individual users. It seems pretty clear that it won’t be long before access to one’s car, home, or even appliances will be held for ransom.

2. Security threats never die. It is interesting to watch attacks and attack vectors rise and fall. Things like spam will drop off, and then return with a vengeance. PDF and JavaScript attacks are on the decline after spiking just a few months ago.

Two weeks ago we saw close to 3 billion Netis router backdoor probe incidents. Last week we saw just under 1 billion attempts. And this week it dropped off again by half. While it seems that this was a low-hanging fruit attack that may have run through its lifecycle, we can guarantee that a) it will linger around as long as folks delay updating or patching their devices, and b) we will continue to see opportunistic attacks like this as long as the time between vulnerability detection and the patching of exposed devices continues to be slow.

We recommend that you grab a copy of this week’s FortiGuard Threat Intelligence Brief, which provides more details, provides links to more information, and provides a breakdown of the detailed threat research published this week.